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(54) Title: MOBILE TELEPHONE SECURITY 
(57) Abstract 

The invention is a method of making 
a mobile telephone more secure and includes 
generating an identification code, inserting the 
code into transmitted speech, detecting the 
code at a base station and comparing it with 
stored information to verify the authenticity 
of the mobile telephone. The identification 
code comprises two portions: the first portion 
(which stores the code) being produced during 
manufacture of a chip and the second portion 
being formed by a randomised process during 
commissioning of the telephone. The invention 
overcomes problems associated with similar, 
prior art systems because the chip containing 
the identification code has part of its code 
randomly selected because it is an irreversible 
process. 
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Mobile Telephone Security 

The present invention relates to a means of making a mobile telephone more 
secure against counterfeiting, otherwise know as cloning. 

5 

Such counterfeiting occurs when a genuine mobile telephone signal is intercepted 
by a counterfeiter (scanned) and the security code (telephone or account number and 
electronic serial number of the actual handset) of the genuine telephone is recorded. This 
code is then used to re-program a stolen mobile telephone, thus producing a counterfeit 

10 of the genuine mobile telephone which can be used to make calls which will be billed to 
the genuine telephone's account. The cloning of mobile telephones is currently limited 
to analogue networks. It represents a very large proportion of telephone calls made. One 
recent estimate (New Scientist 9 Nov 96 pp.20) is £200 million per year in the U.K. 
alone. Much of this illegal traffic (particularly in the U.S.A.) is crime related, and the 

15 calls are often international. The major aspect of the problem is not the stolen telephones 
which might be reported and cancelled by the network, but the aspect whereby a 
legitimate telephone is still in operation with its owner not aware of any problem, and a 
clone is running up a bill on the same telephone. Thus any solution must either make it 
difficult to clone, or must detect a clone in operation. A solution which would allow the 

20 genuine telephone to continue operating would be of benefit. Any solution must be 
cheap in terms of any additional cost to the handset. The handsets are often sold at, or 
below, cost. Any solution should have minimal impact on the existing network base 
stations in terms of re-engineering, and again minimal cost. 

25 There are existing methods by which the cloning of a telephone can be detected. 

1) A change in calling pattern. This is probably the only method in general 

use. 

The network providers can detect when the calling pattern of a particular 
telephone changes and check with the owner that the calls being made are genuine. 
30 2) The RF footprint of every telephone. Each individual telephone has a 

slightly different RF response, and the RF footprints can be recorded at the base station 
as a call comes in. The footprint is then compared to the database for that account. 


WO 98/27768 PCT/GB97/03440 

2 

There is a system available for this, but currently costing around £100,000 per base 
station, it is considered too expensive. 

UK Patent Application Nos GB-A-2163323 and EP-A-6167331 describes signal 
5 transmission systems for telecommunication equipment. In both systems code is 
insterted into a transmitted signal However, the encoder and technique is relatively 
complex. 

Summary of the Invention 

10 The present invention provides a method of making a mobile telephone handset 

more secure comprising: 

1) Providing in a handset a means for generating at periodic intervals an 
identification code; 

2) When the handset is being used to transmit speech, inserting said 
15 identification code into the speech signal in such a way that the identification code 

cannot be heard; 

3) Providing in a base station a means for recognising said code in said 
speech patterns, the base station comparing the received code information with recorded 
information to identify the transmitting handset 

20 

In a further aspect, the present invention provides a mobile telephone handset 
including means for generating an identification code at predetermined intervals, and 
means for inserting said identification code into transmitted speech signals in such a way 
that the code is inaudible. 

25 

The use of transmitted identification codes in broadcast signals for commercial 
radio stations and television stations is described in our granted European Patent EP-B- 
0245037 and published International Patent Application WO-A-9621290. EP-B- 
0245037 discloses apparatus for labelling an audio signal comprising filters to eliminate 
30 a plurality of frequency notches from an audio signal, code generating means to produce 
a code signal having an identifying portion and a message portion represented by bursts 
of frequencies at the notch frequencies, and inserting the frequency bursts into the 
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notches in the audio signal. Monitoring means is provided to monitor the amplitude of 
the audio signal and to ensure that the inserted code signals have an amplitude relative to 
that of the audio signal so that they will not normally be heard. 

5 Preferably the present invention provides each handset of a telephone with an 

encoder chip which is connected in the audio path, and is arranged into encode 
identification (ID) code containing a single serial number audio signals in real-time 
before the signals are transmitted, 

10 A database is maintained of the ID codes which correspond to each account 

number (teletelephone number). 

A plurality and preferably all base-stations contain one or more decoder chips 
which decode incoming signals for their ID codes. 

15 

If the decoded ID code matches the data base number, then the call is valid. If 
not, the call is considered counterfeit and dealt with in a manner to be determined by the 
network operator. The options can include disconnection, feeding a signal back to 
"lock" the handset, and logging the number called for the authorities to investigate. 

20 

To circumvent the invention, the counterfeiter would need to read the ID code 
from a genuine telephone and clone it in the stolen telephone. This would be quite 
difficult for the following reasons. 

25 1. Encoder chips are blown with a random serial number at manufacture 

(perhaps during testing). This involves an irreversible process, for example burning-out 
resistors. The serial number is sufficiently large to prevent a counterfeiter from having a 
full set of chips to select from. The pre-blown chips are held securely to ensure they are 
not stolen. To allow for this possibility, some of the ID code is hard-wired by the chip 

30 mask, and if a serious security breach is detected the mask is altered, and codes with the 
known hard-wired code not used. However, even if stolen, the chip has a random 
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process within it for blowing the number, making it difficult for the counterfeiter to blow 
a particular desired number. 

2. To read the ID code off-air, the counterfeiter would need a more 
5 sophisticated scanner which incorporates a decoder. 

3. Since the encoder chip is not reprogrammable, the counterfeiter would 
have to replace it by a chip with the same function. By making the encoding process 
sufficiently complex, this would require a Digital Signal Processor (DSP) or other 

10 complex processor to perform the operation. By building in detection circuitry, which 
analyses current and voltages, it is made difficult for the counterfeiter to insert such 
programmable devices into the telephone itself. An alternative would be to cut PCB 
tracks within the telephone and attach a PC or "black box" into the circuitry. This would 
be bulky and need to remain attached whilst in use. Alternatively the counterfeiter would 

15 have to make a re-programmable chip. All these "work-arounds" make it more 
expensive for the counterfeiter to clone each telephone, and will make a cloning 
operation more difficult. This willcut out all but the most serious of counterfeiters. 

Brief Description of the Drawings 

20 

A preferred embodiment of the invention will now be described with reference to 
the accompanying drawings wherein:- 

Figure 1 is a schematic view of an encoder chip for use in a mobile teletelephone 
25 handset; 

Figure 2 is a block diagram of the internal construction of the chip; and 

Figure 3 is a schematic system diagram showing a mobile teletelephone handset 
30 in connection with a base station employing a decoding mechanism in accordance with 
the invention. 
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Description of the Preferred Embodiment 

Referring now to Figure 1, the encoder chip has a simple 6 pin structure and a 
relatively low power consumption. Pin 1 provides an audio input for speech to be 
5 transmitted, pin 2 provides an audio output, pin 3 is a ground, pin 4 is power, pin 5 is an 
erase signal and pin 6 receives a clock signal. Pin 5 is employed to blow an ID serial 
number into the chip. 

Referring to Figure 2, the encoder chip comprises notch filter 10 for removing 
10 two narrow bands at selected notch frequencies from an incoming signal. A coding unit 
12 assesses the audio signal strength and provides alternate frequency bursts at the two 
notch frequencies to represent an ID code stored in a store 14. These frequency bursts 
are inserted into the audio signal output from notch filters 10 in a combining unit 16 to 
provide an audio output on line 16. Details of units 10, 12, 14 are given in EP-B- 
15 0245037 and WO-A-962 1290. 

Memory store 14 is divided into two parts, a first part 18 containing part of the ID 
serial number taken from the chip mask, and a second part 20 left blank, to be blown-in 
during testing, as is shown in the example format below. The exact length and split of 
20 this format may be varied. For the 36-bit data code suggested here, the ID process is 
likely to use an additional 16-20 bits for error correction overhead, giving a total 50-60 
bit actual code. This improves the robustness of the scheme:- 

16-bit (65536 masks) - 20-bit (1048576 possible codes) 

25 xxxxxxxxxxxxxxx - xxxxxxxxxxxxxxxxxxxx 

samples from the same batch:- 


30 


13568 - 0219203 
13568 - 1006255 
13568 - 0563750 
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The fact that two chips may by chance have the same ID serial number does not 
matter, since in the application of the chip it is the correlation between the account 
number and ID number that counts, not whether any two accounts have the same ID 
number. There is a chance that a stolen telephone has the same number as a genuine one 
5 being cloned; however, the chance of this is insignificant (one in a million for a 
particular mask). 

Referring now to Figure 3, this shows a schematic block diagram of a base station 
30 which receives signals transmitted from handset 32. A demultiplexer 34 separates the 

10 incoming signal from the other incoming signals and passes it to a splitter 36, which 
separates the account number code, which is normally present in the handset 
transmissions. The account number is used to access a database 38, which among other 
verification operations provides an ID serial number for the handset associated with the 
account number. At the same time, a decoder unit 40 coupled to splitter 36, analyses the 

15 speech signals and derives the ID serial code present in the notch frequencies, essentially 
by the inverse of the encoding process as described above. The two derived codes are 
compared in a comparator 42. If they correspond, no further action is necessary, but if 
they do not correspond, indicating a possible illegality, appropriate measures may be 
initiated as outlined above. 

20 

The decoding process is a process which analyses the incoming signal and reports 
the ID serial number. For the 50-60 bit actual code suggested above, it would be 
expected to take about 20 seconds to confirm the code in a reliable manner. The time 
taken to confirm the code will depend on the quality of the audio signal. Additionally, 
25 there is a trade-off which can be made by making the code more audible (and also to be 
present in silent periods), and so this time period can be reduced. Higher quality means 
shorter ''time to confirm". If the counterfeiter tries to use this to circumvent the ID code, 
the system could detect that multiple short calls are being made to the same number with 
no ID confirmation. 

30 

The invention has been described by way of example only and variation may be 
made to the embodiment described. 
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CLAIMS 

1 . A method of making a mobile telephone handset more secure comprising: 

i) providing in a handset a means for generating at periodic intervals an 
5 identification code; 

ii) when the handset is being used to transmit speech, inserting said 
identification code into the speech signal in such a way that the identification code 
cannot be heard; and 

iii) providing in a base station a means for recognising said code in said 
10 speech signal patterns, the base station comparing the received code information with 

record information to identify the transmitting handset, characterised in that the code is 
held in a memory store in two parts, a first part being formed during manufacture, and a 
second part being formed by a randomised process during handset commissioning. 

15 2. A method according to claim 1, wherein the identification code is in the form of 
bursts at predetermined frequencies and is inserted into the speech signal where the audio 
signal has been filtered out at such frequencies. 

3. A mobile telephone handset including means for generating an identification code 
20 at predetermined intervals, and means for inserting said identification code into 

transmitted speech signals in such a way that the code is inaudible. 

4. A mobile telephone handset according to claim 3, wherein the code is held in a 
memory store in two parts, a first part being formed during manufacture, and the second 

25 part being formed by a randomised blowing means operative in response to an external 
control signal. 

5. A base station including means for separating a coded signal transmitted from a 
telephone, into an audio data carrying portion and a portion containing coded 

30 information and means for comparing the coded information with stored information 
specific to said telephone. 
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